Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

Without knowing too much about your job I would start looking at system imaging to create backups of a well working system. You CAN rely on system images to restore a system to its working state. You CANNOT rely on CCleaner and similar tools to get that same result

(at my work we store system images for 50-100 systems in about 200 GB because a good system imaging tool only stores everything once and there is enormous overlap between systems. Just look up dism /capture-image and dism /append-image for a very rudimentary solution)